Shlayer Mac Trojan Removal — Mac Restore Instructions

Shlayer Mac Trojan Removal — Mac Restore Instructions

This article has been created in order to give you insight on how to quickly remove the Shlayer Mac Trojan from your Mac effectively.

SIDENOTE: This post was originally published in July 2019. But we gave it an update in August 2019.

The Shlayer Mac Trojan is a very dangerous threat to all Mac computers as it can install itself silently and lead to data theft. Active infections can be made without any apparent symptoms and depending on the specific hacker instructions different actions can take place. This is the reason why affected users should remove it immediately.

Threat Summary

NameShlayer Mac Trojan
TypeMac OS Adware
Short DescriptionThe Shlayer Mac Trojan installs various malware on the target computers.
SymptomsThe victims may not experience any apparent signs of infection.
Distribution MethodEmails, infected software installers and other methods.
Detection Tool See If Your System Has Been Affected by Shlayer Mac Trojan


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Shlayer Mac Trojan.

Shlayer Mac Trojan — Update August 2019

Shlayer Mac Trojan

A new update of the Shlayer Mac Trojan has been recently discovered by security updates. The new version of the threat is being spread across the Internet using multiple methods however one of the most frequent ones is an installer or updater for the Adobe Flash Plugin. Links to it and download code are found on hijacker sites, hacked pages and email phishing messages.

It has been confirmed that the new Shlayer Mac Trojan affects all versions from 10.10.5 to 10.14.3. It can be really hard to detect using an anti-virus or anti-malware program as the threats employ multiple layers of obfuscation. The code analysis also reveals that it contains the functionality to detect and bypass active security software.

As soon as the intrusion is started the built-in malware code will start. Depending on the local conditions or hacker-instructions various actions will take place. One of the most common ones is the acessing of sensitive data including personal information about the users. The new version of the Shlayer Mac Trojan will also generate an unique ID for each infected host.

This is followed a privilege escalation which will deliver a secondary payload. This means that the Trojan can be used both to install other threats to the already compromised hosts and also to spy on the victims in real-time. Other names that the malware is also known include the following:

  • Trojan.Mac.Shlayer.f
  • Trojan.OSX.Shlayer-2
  • Trojan Mac Shlayer
  • OSX/Shlayer

Shlayer Mac Trojan — How Did I Get It

The Shlayer Mac Trojan is delivered through a complex delivery campaign through malicious advertising. The security analysis reveals that the detected samples are distributed via advanced malvertising payloads.

In this particular case the culprit is a malicious browser extension which is hosted on hacker-controlled sites. The dangerous code is disguised as an Adobe Flash Player installer. This type of attack behavior can be embedded in several different sources of infection besides the malicious sites:

  • Email Messages — The criminals can additionally use phishing tactics that impersonate legitimate companies and services that the users might be using. By falling victim to their body contents or any attached files the fake Adobe Flash Player file will be downloaded and started onto their computers.
  • File Sharing Networks — The payload files can be shared on networks like BitTorrent where such programs are frequently uploaded.
  • Malicious Documents — The Adobe Flash Player installer can be embedded in documents made by the criminals. All of the popular file formats can be affected: text files, presentations, databases and spreadsheets. The built-in contents can link to the dangerous files. The other technique is the automatic start of the file by inserting the required scripts into them. When the document files are opened a prompt will be launched asking the users to enable them. The reason quoted will be to correctly view the document.

Not only is the Adobe Flash Player install a malicious carrier, but also an image that conceals the steganography malware — the virus code will be started as soon as it is opened in the browser window. As the campaign is deemed very large it is estimated that as many as 5MM visitors may have been targeted with it.

The malvertising campaign will deliver the payload carrier which starts the hidden code leading to the Shlayer Mac Trojan installation.

Following the malicious sites and script redirects the victims can also be directed to several ad campaign landing pages. They will deliver another set of malicious application installers, depending on the campaigns. Some of the examples include the following malware copies:

  • Update Flash Now!
  • Windows 10 PC Repair

Shlayer Mac Trojan — Full Description

Upon launching the Shlayer Mac Trojan code the first part of the infection will commence — a shell script decrypting a file found in the Application Resources directory. This malicious file is deployed there in order to hide its appearance from common user locations such as their home folder.

This will start a sequence of a several stage delivery Trojan, including the unpacking of a password-protected ZIP archive containing further malware scripts. The Shlayer Mac Trojan at the moment is configured to lead to other infections. However given its complex modular design it can easily be used for other malicious purposes, including the following:

  • Information Harvesting — The engine can be used to harvest data that can be configured to extract both machine metrics and user information. The first category is used to generate an unique ID that is assigned to each individual machine. This is done via an algorithm that uses list of installed hardware components, user settings and other operating system metrics. It can also directly expose the identity of the victims by looking out for strings that can reveal their name, address, phone number, location and any stored account credentials.
  • System Changes — To facilitate further infections the payload code can make various changes to the compromised machines — configuration files, operating system environment values and user settings.
  • Boot Options Modifications — By accessing the Mac OS computers settings the Shlayer Trojan can set itself or the other deployed payloads to automatically start when the computer is powered on.
  • Additional Payload Delivery — It can be used to deliver other threats to the computers such as miners and ransomware.

Future updates to the Shlayer Mac Trojan can deploy all kinds of other modules.


Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share